By Kevin McKerr – As more and more South Africans rely on their mobile devices for everyday activities, the variety and impact of cybersecurity threats will continue to grow. At a recent National Science and Technology Forum Discussion in May 2015, it was noted that South Africa has the third-highest prevalence of cybercrime in the world after Russia and China.
Consumer mobile transactions are not the only high-value target for cybercriminals and hackers: employees’ personal mobile devices, increasingly used to access sensitive documents or internal networks are also a prime target for cyber-espionage and data theft.
For the majority of South African businesses and government entities, the most vulnerable point of “going mobile” is the individual – whether employee, customer, or board member. Enterprises already have robust back-end systems and networks that can withstand even sophisticated cyber-security threats. But if you trust your employees when they’re at their desktop, why can’t you trust them when using a mobile device, connecting to the same systems as before? The challenge for IT leaders is to manage the new risks posed by mobile devices – and the individuals using them – creating myriad new connections to secure systems and data.
By framing their mobile security efforts around protecting these individuals, enterprise leaders can create a safe space for mobile innovation. There is a strong correlation between fears about mobile security and the wholehearted adoption of mobile’s potential. According to IDC, 54 percent of CIOs in Africa and the Middle East see devices and network security as a major challenge, and only 28 percent have allowed mobile enablement of their enterprise apps.
At the same time, IBM is working with a number of large banks in South Africa and Africa which now use the enhanced security of their mobile banking platforms as a key differentiator for customers. And being in the field creates opportunities for exponential process and efficiency benefits. During Hurricane Katrina, where insurance agents were able to use mobile apps to take pictures for, record, and submit claims from the disaster zone – allowing them to process more than a hundred times the typical number of claims per day, when customers needed them the most.
Only when enterprises secure their people’s devices, and how they communicate with apps and back-end systems, will they be able to turn mobile into a force majeure for customer engagement and competitive differentiation. How can they do so?
Visibility, resistance, and happy end-users
Organisations can learn from the struggles of their overseas counterparts in the following three areas:
- Visibility, or understanding the devices and entry points now accessing corporate data and networks, is a critical first stage to addressing potential threats – the lack of which has led to “shadow IT” becoming endemic amongst organisations across mature markets. Africa’s IT leaders can avoid the threat of the unknown by investing in systems monitoring and intelligence dashboards. But they also need to determine how much risk – and therefore how much visibility – they need, depending on the mobile approach they wish to take. A BYOD policy for employees, for example, requires a different strategy to one involving corporate-approved devices.
- Resistance involves ensuring that data and connections (such as between apps and databases) are hardened against breaches. Visibility across data and connectivity can help cybersecurity teams “predict” where certain information will go, and implement the necessary measures (such as encryption or restricted access privileges). The focus for IT leaders should be mobile connections, as these are the points where secure data can leak or systems be exposed.
- User Experience goes beyond the app interface and must be seamless at every stage of the individual’s journey. Mobile security processes which create friction for users will be circumvented or ignored, potentially leading to even riskier behaviours and device usage in the organisation.
Approaching mobile security not just in terms of volume (“we have x number of defences”), but from the perspective of threat authors themselves. A fragmented “piece by piece” adoption of mobile security platforms can generate incompatibilities and conflicts which themselves open up new vulnerabilities to malicious actors.
Instead, business leaders can tackle mobile security with an ERP-like approach, deploying integrated or modular solutions which overlap multiple layers of security and threat-awareness for mobile users. IBM itself only lets employees access data via mobile through a unique user profile (generated by its own MaaS360 solution); provides secure apps for mail, collaboration, and other typical functions; and restricts users to opening files within secure browser windows. This approach applies to every employee, in every country where IBM operates – a good example of thinking “risk” instead of just “features” for mobile security.
Major innovation dividends
Perhaps the most important goal of mobile security for enterprises is that it lets business leaders answer the question: “what does the mobile device really let us do?” Once risk is successfully managed, business managers can turn their attention to mobile collaboration, CRM, learning, and other functions that skew more comfortably to how employees want to access corporate resources. Enterprise mobile apps will boost efficiency in our core industries, like manufacturing and mining, by allowing employees to complete office tasks without leaving the field – like IBM and Apple’s Expert Tech app, which lets telco technicians schedule, diagnose, and fix repair tickets using information from their iOS devices. These innovations will determine Africa’s leaders in markets where consumers are accustomed to not just mobile apps, but faster, higher-quality, and more efficient service overall. To deliver that sort of experience and empower their employees, the continent’s business leaders will have to put security at the foundation of their efforts to innovatively and sustainably “go mobile”.
Kevin McKerr is security sales leader for IBM South Africa